Automation

A powerful low-to-no-code approach that allows your SOC to start automating complex tasks on day one.

Contact sales

Installable workflows

View all

These are additional workflows that you can choose to install from Cisco, its partners, and the Cisco XDR community. These are not installed by default and offer additional use cases beyond the workflows built into Cisco XDR. More information about installable workflows can be found in the Cisco XDR product documentation.

C
Check Point Quantum Smart-1 - Add IP Address to Network Group
Cisco Managed
This workflow appears in the pivot menu and allows you to add an IP address to a network group in Check Point Quantum Smart-1.
Pivot Menu
Learn more
Logo for Secure Endpoint
Cisco Secure Endpoint - Host Isolation with Tier 2 Approval
Cisco Managed
This workflow appears in the pivot menu and allows you to request approval to isolate a host using Cisco Secure Endpoint.
Pivot Menu
Learn more
Logo for Microsoft Defender for Endpoint
Microsoft Defender for Endpoint - Release Machine from Isolation
Cisco Managed
This workflow appears in the pivot menu and allows a user to release a machine from isolation in Microsoft Defender for Endpoint.
Pivot Menu
Learn more
Logo for Microsoft Entra ID
Microsoft Entra ID - Disable Users
Cisco Managed
This incident response workflow allows you to disable one or more users in Microsoft Entra ID from a playbook.
Incident Response
Learn more
Logo for Rubrik Security Cloud
Rubrik Security Cloud - Restore vSphere VM to Recent Snapshot
Cisco Verified
This workflow appears in the pivot menu and allows a user to restore a VMware vSphere VM to its most recent viable snapshot in Rubrik Security Cloud.
Pivot Menu
Learn more

Built-in workflows

View all

Workflows typically achieve an end-to-end use case. For example, fetching information from an incident, identifying endpoints to isolate, and requesting isolation for each endpoint. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome by taking one or more smaller steps. The workflows listed here are built into Cisco XDR and do not require installation or, in most cases, configuration. More information about workflows can be found in the Cisco XDR product documentation.

XDR - Contain Incident: Assets
Cisco Managed
This workflow consumes one or more hostnames and attempts to isolate matching endpoints in all supported products.
Learn more
XDR - Contain Incident: File Hashes
Cisco Managed
This workflow consumes one or more SHA-256 file hashes and attempts to block them in all supported products.
Learn more
XDR - Contain Incident: IP Addresses
Cisco Managed
This workflow consumes one or more IP addresses and attempts to block them in all supported products.
Learn more
XDR - Contain Incident: Quarantine Email Messages
Cisco Managed
This workflow consumes one or more email message IDs and attempts to quarantine matching messages in all supported products.
Learn more
XDR - Delete Email Messages
Cisco Managed
This workflow consumes one or more email message IDs and attempts to delete matching messages in all supported products.
Learn more

Built-in actions

View all

Also known as atomic actions, these are small, reusable components you can use when building a workflow. Cisco XDR comes with over 500 actions built in for various products and capabilities or you can build your own. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome and an action as a function within the script. Actions usually do perform a specific, single task like creating a ticket or sending an instant message. More information about built-in actions can be found in the Cisco XDR product documentation.